Cryptolocker Ransomware: What You Need To Know

Update 06/02/2014: Today the US Department of Justice (DOJ) announced an effort to disrupt the Gameover Zeus Botnet. In addition to this effort, the DOJ announced an another joint-effort that involved seizing computer servers used by the Cryptolocker ransomware.

“We succeeded in disabling Gameover Zeus and Cryptolocker only because we blended innovative legal and technical tactics with traditional law enforcement tools…”, said Deputy Attorney General James Cole in today’s announcement.

Evgeniy Bogachev was identified as a leader of cyber criminals based in Russia and Ukraine responsible for the development and operation of both the Gameover Zeus and Cryptolocker schemes. He is currently wanted by the FBI.

While the C2 infrastructure is currently under the control of Law Enforcement, this is likely to only be a temporary disability of the malware until new servers are online.

It’s worth stating that users still need to protect themselves from Cryptolocker despite its recent interference. Continue to maintain a strong security posture, to include updating Antivirus/Anti-malware definitions, and avoiding unknown or unforeseen email attachments, even if you know the sender.

Update 12/20/2013: A new version of Cryptolocker—dubbed Cryptolocker 2.0—has been discovered by ESET, although researchers believe it to be a copycat of the original Cryptolocker after noting large differences in the program’s code and operation. You can read the full blog comparing the two here.

Original story:

Just last month, antivirus companies discovered a new ransomware known as Cryptolocker.

This ransomware is particularly nasty because infected users are in danger of losing their personal files forever.

Spread through email attachments, this ransomware has been seen targeting companies through phishing attacks.

Cryptolocker will encrypt users’ files using asymmetric encryption, which requires both a public and private key.

The public key is used to encrypt and verify data, while private key is used for decryption, each the inverse of the other.

Below is an image from Microsoft depicting the process of asymmetric encryption.

The bad news is decryption is impossible unless a user has the private key stored on the cybercriminals’ server.

In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain “shadow copies” of files. The folks at BleepingComputer have some additional insight on this found here.

Removal:

Malwarebytes Anti-Malware detects Cryptolocker infections using multiple names, to include Trojan.Ransom and Trojan.CriLock.XL, but it cannot recover your encrypted files due to the nature of asymmetric encryption, which requires a private key to decrypt files encrypted with the public key.

In order to make removal even easier, a video was also created to guide users through the process (courtesy of Pieter Arntz).

While Malwarebytes cannot recover your encrypted files post-infection, we do have options to prevent infections before they start.

Users of Malwarebytes Anti-Malware Premium are protected by malware execution prevention and blocking of malware sites and servers.

To learn more on how Malwarebytes stops malware at its source, check out this blog.

Free users will still be able to detect the malware if present on a PC, but will need to upgrade to Pro in order to access these additional protection options.

Backup:

Also, the existence of malware such as Cryptolocker reinforces the need to back up your personal files.

However, a local backup may not be enough in some instances, as Cryptolocker may even go after backups located on a network drive connected to an infected PC.

Cloud-based backup solutions are advisable for business professionals and consumers alike. Malwarebytes offers Malwarebytes Secure Backup, which offers an added layer of protection by scanning every file before it is stored within the cloud in an encrypted format (don’t worry, you can decrypt these).

Update: Adam Kujawa from Malwarebytes gives further insight about Cryptolocker in an interview with Category 5

_________________________________________________________________

Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques. His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis. Follow him on Twitter @joshcannell

Ken Halloran

This whole article reads like an add for Malwarebytes payed software. That is disappointing. I’ve always thought highly of your software and approach to security. Your web site is very informative. This just sounds like so many other bait & switch security tools that offer “free” scans but low and behold, you have to purchase the “pro” version to actually get rid of anything. I always thought Malwarebytes eas above that kind of tactic. Guess I was wrong.

https://www.facebook.com/judie.tassiejag Judie Tassie Jag

I have 2 Trojan.Ransom in my Quarantine of Malwarebytes Anti-Malware Pro. Do I just leave or delete these or do I need to do something else. There seems to be no effect on my computer that I’ve noticed.

Cecile Nguyen

Judie, if the trojans are in the quarantine, they will no longer affect your computer. Deleting it will permanently remove it from your computer. We place items in quarantine first to allow users to decide if they would like to delete or perhaps restore the item. In your case, I would recommend deleting it.

Cecile Nguyen

Hi Ken, Malwarebytes Anti-Malware Free will still detect AND remove cryptolocker. However, since the Free version is an on-demand scanner, Malwarebytes Anti-Malware Free will not detect cryptolocker until after you run a scan. It will remove the ransomware following a scan but right now, there is no way to get your encrypted files back besides using a restore point.

The paid PRO version, however, offers real-time protecting and will block cryptolocker from running and thus saving you the headache of encrypted files.

However, for anyone who reads it, please keep in mind that unless you have already backed up your files prior to the infection, there is very little to no chance that you can get them back. If you call the number of the “Technician” described on the freetechsupport.com website, do not fall for any potential scams or false truths about them being able to recover your files. Without the decryption key stored on the remote command and control server, it is not possible to get back your files.

I’m not sure if this will help anyone, but a computer came into our shop recently with this virus. The countdown timer is controlled by the bios clock. Changing the bios clock back a few days resets the timer til the private key is destroyed.

Also, it’s now not only marked hidden but it’s also marked itself as a system file so you got to turn that on, too.

I have the file on a flash drive if someone would tell me where to upload it I’ll send it to Malwarebytes. Right now I’mm too busy dealing with this to search the website.

John P

Nice ad for Malwarebytes. Here’s the FACTS: A. This sort of thing has been around for YEARS, not just “last month” B. I have personally worked on several computer infected with this and similar malware, and MBAM Pro installed and running, so the assertion that it will protect you is FALSE. C. In many cases, even a MBAM scan after will not fully remove this, or detect it, and that is if you can even get to the point of running it, in which case, a System Restore or Reinstallation is your only remedy. D. ALWAYS backup your data

Now to the good news. I have found the way to decrypt files after Cryptolocker has done its modifications. It renamed the files but there were no encyption set. So you should be able to restore them by renaming the extension of the tmp file.

Nick
Res-Q IT

sc0tt

Hi Nick,
That is potentially big news. Do you know if you were just dealing with the original version of the trojan which reportedly only had weak encryption? The one we have been dealing with is the real deal with 256bit.

Where were these tmp files you speak of?
Thanks!
Theres a long ongoing discussion on this with people trying different things here:
www bleepingcomputer com/forums/t/506924/cryptolocker-hijack-program/page-45

sc0tt

We have successfully reinfected and decrypted, see the URL mentioned above for full info.

@sc0tt – that’s misleading. Saying here, on this forum, that you decrypted the files is incorrect. You may have recovered some from vss and other protected stores. But to decrypt them, no, absolutely not.

I find it funny though, that most Malware companies, and virus companies releases these so called vagrant files to the public. either thru devious method as update for google and flashplayers, fake websites when its easy to shut down these fake websites they refuse to go after them, so by knowing that. they are the one releasing it to make money from people ignorant people.
Nice going!

https://www.facebook.com/Hatterasman Kim Taylor

“Free users will still be able to detect the malware if present on a PC, but will need to upgrade to Pro in order to access these additional protection options.” I have to agree with Ken. You couldn’t have come up with a better advertisement for Malwarebytes if you had paid an ad agency to do it for you. I am truly thankful that the Center for Disease Control doesn’t use your philosophy for virus protection.

Olivia Sky

This virus is insane and virtually impossible to get rid of. I made a youtube video documenting the process when we had to pay our dreaded $300 to “get” our files back, http://www.youtube.com/watch?v=iiGSr-HSPb0 Hopefully this helps anyone who wants to know what happens after they pay. I hope they find the morons who made this virus.

It seems they just worded it poorly. The free version *DOES* detect AND remove the trojan. The free version just does not have active real-time protection, which is available in the Pro version.

MB is very clear that the free version is on-demand, and the Pro version is real-time prevention/protection. It’s always been that way. It’s not a bait and switch. Compared to most other solutions, MBAM Pro is a steal anyway. No recurring subscription costs, and very effective scanning and removal.

I’ve only used the free version but it has helped me out many times when helping family members and others with malware removal.

This blog post is a little overly-saturated in marketing, sure, but they do have a product that removes and prevents this malware, so why wouldn’t they market it as a solution?

I paid the $300 and then after an hour the files were unlocked. it took about 7 hours. I was able to access the files for most of the day. I decided to buy
MalwareBytes anti-malware Premium and Installed it on the computer. I ran it and found many objects that said “Spybot”. Once I removed them and restarted the machine the windows 7 operating system went into start up repair for a couple of hours and eveything was encryted again and the Cyberlocker was back after it had been gone for half a day. If you pay the ransom, backup your files before you remove the Cryptolocker because it comes back with a vengeance if you try and remove it. This thing is a nightmare and has spread to other computers in my office. I dont think there is a way to stop it.

Please don’t make that guess! I would like it to be useful, but I believe that the secret key isn’t on your system, making it impossible to decipher your data by any mean. The key shall be on the attacker’s machines and given to you only when you give the ransom.

The data is encrypted on your machine with a “matching” public key , which is totally useless to recover your data. (at least in these days ans ages!)

In reply to :
smpsn07 on October 10, 2013 at 12:23 pm said:
I’m not sure if this will help anyone, but a computer came into our shop recently with this virus. The countdown timer is controlled by the bios clock. Changing the bios clock back a few days resets the timer til the private key is destroyed.

I’ve got 3 of these at my work…2 we were able to removed and restored data. 3rd..unable to do so (user decided to clean it and restored the system).

1. Do not attempt to clean the virus right away
***there are 2 files..one is in temp folder,second is in your profile common folder.
2. Disconnect yourself from the internet right away and avoid using the mouse( meaning do not click on anything).
3. If you already infected with this virus..reset system changed the dates…this a token, which will utilize your bios time.

Fyi. If you use ctrl+although+del to kill the crypo process it will be useless. It is self regenerating. Download process explorer, run it and select the crypto process and then select KILL TREE!!!! I have stopped the virus and cleaned it but unless you have system restore set to create restore points of EVERYTHING.

I have an idea but I haven’t test it yet. I have a bachelor in Information Technology and Systems, but this may or may not help anyway.
If you backup the files, that nasty piece of software can encrypt your backup, but if you encrypt your files first, your files are protected and I guess you cannot encrypt an already encrypted file.
Use AxCrypt to encrypt them.
Someone can test it for me? Reason is my computer is repairing.
cheers
Jc

superstupidvideos, that is absolute nonsense.
You can easily encrypt files multiple times and you’ll have to decrypt them in reverse order (usually, anyway, some encryptions are commutative).

Anyway, there’s a free Windows tool called CryptoPrevent which is able to keep malware like Cryptolocker from running. It works by keeping executables in certain locations from running which is what Cryptolocker depends on.

Been an interesting read but no one here (well maybe Nixitur) understands how encryption works. Not even sure, having seen video, that Malware knows…..

So here is the deal, cryptolocker:
Installed by whatever means
disables task manager/regedit etc
polls a load of address until it can find a control server
server gives it public key
cryptolocker save public key in registry
it then trolls all drives for file patterns (*. whatever) – anything with a letter assigned
it finds a file and generates a NEW AES key and encrypts then overwrites, stores change record in file under your user directory. This file then contains the filename and the unique AES key but is encrypted with the public key (so no reverse)
… repeats over and over

I did think about weakness in all this but I have to say the unique AES key each file is a killer…. the obvious counter, I thought, of was to grab the current AES key whilst it was still active but buggers clearly thought of that

So a nice video but not well informed. I personally got myself a Bluray burner for Crimbo this year so I can do so hard copy backups. Also use Outpost and lock down a folder of important backup data (but clearly that can never be 100% as still in the OS)

I am using MBAM Pro which I assume can keep this virus from running, but I prefer the belt and suspenders approach.

Backing up data files to protect against a CRYPTOLOCKER infection now seems to be mandatory. Since you can now buy a WD 4 TB USB drive for $160 it doesn’t really pay to not backup files. Since the extensions which CRYPTOLOCKER attempts to encrypt are known you could write a ROBOCOPY job file to copy just those extensions to a USB drive. Immediately before making this backup you could run REGEDIT and search for CRYPTOLOCKER in the entire registry. If REGEDIT did not find it you would be reasonably certain that the computer is not currently infected. You could then go ahead and make your ROBOCOPY backup. The backup USB drive must be unplugged whenever you are not actually copying to it. It would also be a good idea to disconnect the computer from the Internet before starting a backup. Unplugging the ethernet cable which connects it to a router or cable modem is simple enough. I don’t really know how to temporarily disconnect a computer from a wireless modem.

Would anyone care to assist me in temporarily disconnecting my computer from my wireless modem, writing a ROBOCOPY job file to copy the required extensions, or writing a batch file which would not write over older backups but would instead place a new backup in a new dated directory?

Unless the communication between the virus and the hacker’s server is AES encrypted with a Diffie Hellman or RSA protected key, then a simple packet sniffer should be able to determine the “private key” that is being sent to be stored on the hacker’s server. Further more.

Even if it is encrypted for sending over the internet, at some point in the program’s running the private key must at SOME point be an unencrypted copy of it in memory. In Window 7, you can dump the memory of a running program from task manager. Also the free software HxD hex editor can show and edit memory in realtime. Using such tool’s it should be possible to dump the memory and eventually figure out where the private key is, and decrypt these files yourself, without paying even a penny to the hackers. Also as mentioned by someone here, paying only decrypts the files. It does NOT remove the malware. Any attempt by any antivirus software to remove the malware (even after you payed to get your files decrypted) will be detected by the malware, and it will get its revenge upon you be reencrypting everything.

This is for paul1940 in regards to disabling the wi-fi on his PC. If you are using windows 7 which i presume you are then you do the following:

Click on start
Go into control panel
Go into network and internet
Go into network and sharing centre (if you do not have network and internet in the first screen then just go straight into network and sharing centre)
Click on “change adaptor settings” on the left hand side of the window
Right click on your wireless icon and click on disable.

Another way to do this would be to disable the wireless drivers entirely.

Go to start
Right click on computer (or right click on computer if it is on your desktop screen)
Go into manage
Select device manager on the left hand side
Look for “network adaptors” on the list on the right hand side
Click on the + sign and right click on your wireless driver and select disable.

Please be sure to remember to turn this back on again after you have done what it is you need to do otherwise you won’t get access to your wi-fi on the machine off course.

I am a avid Malwarebytes user. We use it on about at least 10 machines a day on the bench at the shop. We are a reseller for malwarebytes and it honestly their software is amazing. I thought I would share my interesting experience today. We had a computer come in with the crptolocker virus today and we kept scanning it and nothing would get rid of it. SO i put the hard drive back in and powered the machine on one last time, and I noticed there was a Splash screen right after the bios for a program called rollback rx and there it said press home key to access subconsole so me being curious george I pressed the HOME KEY. it seemed to access some preboot console thing , at this point I was curious so I went to the bench computer and did a quick google on rollback rx and it turned out it was like system restore program but installed outside of windows. So i went through the subconle thingy and selected to restore to one day earlier before the infection came in, and well it seemed to work. all the customers data was there and there was no trace of the bug. So i contacted the makers of Rollback and they confirmed that as long as you have rollback installed prior to getting cryptolocker or any infection, you can rollback with no issues and be back up and running. They also gave me this link to read more because I had soo many questions LOL : http://www.horizondatasys.com/en/cryptolocker_removal_and_protection.ihtml

Ken Halloran says on October 8, 2013 at 12:16 pm : Right on Ken. My thoughts too. I was thinking, ‘if a panic ensues and a mass purchase of Malwarebytes and cloud products occurs, I wonder how $ would be involved? Instant millionaires? Billionaires?’ Who wrote this malware anyway?

That’s a Awesome blog ,We can provide a best services of you problem , any time you can call my help desk number and solve your problem just go through this url. error 1068 windows7
Thank you
Aalia lyon

Malwarebytes will NOT protect you against the AFP ransomware (Australian Federal Police). It will NOT detect it once the HDD is infected. The Malwarebytes “To The Rescue” disk will NOT boot once the machine is infected.

Save your money, and seek an alternative product to Malwarebytes. Its advertising is somewhat over-generous in self praise – to say the least.

Carl Taylor

The best way to combat this is for the credit card companies to get involved. They need to allow their clients to pay the ransom and then allow them to reverse the charges afterwards. This is after all a criminal act and the criminals have no right to keep the ransom. What are they going to do after all. Call the credit card company and complain that the money was taken away from them? That would be great then they might be able to be identified and put in jail where they belong!

People should start by calling their credit card company and explaining the situation. I think any reasonable credit card company should comply with this especially if their client calls them in advance to explain the situation.

The Malwarebytes.org comment above “..Users of Malwarebytes Anti-Malware Pro are protected by malware execution prevention..” is incorrect. My wife has a licensed, paid-for, recently-updated “Pro” Malwarebytes version running in a Windows 8 PC. Yet, the CryptoLocker malware program – apparently downloaded as an e-mail attachment – executed just fine. Post-malware execution, MBPro identified these malware files: trojan.agent, spyware.zbot, trojan.dofoil, and Malware.Packer.as. Ok, so we quarantined them after the fact, but then taking inventory of encrypted and thus effectively destroyed files we were just heartsick. The malware destroyed a large set of Word, Excel and pdf files, and jumped to the backup drive (regrettably, plugged in to the PC at the time) and destroyed all the backups too. Yes, MB seemed like an enlightened company and the product was inexpensive, but we certainly regret relying on MBPro for malware protection.

Having just read through the above, is there a ‘good’ prevention method?

I didn’t see a reply to post does Sandboxie prevent this?
I have found Sandboxie prevent ‘things’ in the past and you can simply delete your sandbox.
Or what about a virtual machine, could that help?

Andre Santos

There was a video about this on YouTube which also shown how to obtain the key.
You’ll need to use Wireshark and look through the log for the private key, after that, enter that key in and all your files are decrypted.
There are other videos which show how to restore your files such as this.

Found this neat little APP, CRYPTOLOCKER TRIPWIRE. Which as it describes once CRYPTO attempts to modify the files it kicks in and disables access to them.
I have used it on several of my environments. Works like a charm.

This doesn’t work. I’ve tried dozens of encrypted files from different machines. None have been decrypted.

David Duchene

I was infected with what turned out to be 2 of the “CTB-Locker” virus. I paid the ransom for the first 1 and the code immediately decrypted half of my files. I paid the other as well and I recieved the decryption key. However, when I try to decrypt, the 1st encryption code keeps popping up. I have the encryption code for the second virus as well as the decryption code. I just dont know how to get the two of them together. Any suggestions?

Étudiante hongroise

Hi everyone, I am infected with CTB-Locker as well. I did not pay the ransom, so all of my files remain enrypted. I have been trying to find a solution to get back my files during the last month but I could not resolve the problem. It would be very important to recover or decrypt my files as they are part of my university studies. I do not have backup files either. Can someone tell me how could I get my files back? Or does anyone know if there will be any tools developed to decrypt the files encrypted by CTB-Locker? Thank you in advance!

a wallpaper automatically saved in my desktop through online,after that i am unable to open my word,excel,pdf,image file.i re-install all software & reinstall Win 7 pro.Still now i am unable to open my documents.i tried also in another pc but also unable there.My word & excel file recoverable?

I tried many ways,with word & excel viewer.copy to new file.
Any one can help me?

JumpyParkour

Hello Everyone!

If you didnt know, there is Decrypt Cryptolocker, wich is a site asking for an encrypted file and gives you a key in return. I forgot the website, but you can search it up.

which is exactly why hackers won’t use credit cards anyways…. they will always use some sort of cryptocurrency that can be filtered through a laundering service. Credit card companies want nothing to do with this added expense….

Hi Sham, right now that website is the only way to decrypt files locked up by cryptolocker. Be sure to follow the instructions provided on the webpage such as entering your email and then uploading the file.

If you are having issues with the website, I would recommend reaching out to FireEye or Fox IT Scanners’ support.

but to use the full version of malwarebytes pro ,am not able to install any other god anti virus “?

Michiel van der Blonk

after stopping the process find it in services, and stop it and delete it there. After that run msconfig to remove it from the start up

Michiel van der Blonk

Law enforcement doesn’t use popup windows. Sorry to say but you have been conned. That was just a virus or a criminal. Don’t worry.

Dick_Woodcock

Yup. Our company got hit by this. Once you remove the trojan from the system, if you have system restore turned on, all you have to do is right click on the file and select “restore previous version”.
At least it works that way in Windows 7 & 8 Pro.

Why didn’t Malware bytes premium protect my customer from the crypto virus? It seemed like a new version I hadn’t seen though.. it had a .decrypt after all the files and a different banner on startup? can anyone help?